PackageKit policy: background and plans

James Morris jmorris at namei.org
Fri Nov 20 08:33:20 UTC 2009


On Thu, 19 Nov 2009, Conrad Meyer wrote:

> > I think it's fair to say that having this happen as root would generally
> > be worse than it happening as an unprivileged user.  For the latter, the
> > attacker would need to also then succeed with a local privilege escalation
> > attack to the same effect.
> 
> On the contrary. On the typical single user system, it's just as bad if an 
> attacker can steal / delete / modify the user's files as it is if the attacker 
> can modify / delete system files. Privilege escalation isn't needed to delete 
> everything the single user cares about.

Note that I said generally.

In the specific case where the attacker only wants access to the user's 
files, can exploit an existing vulnerability to do so, and can also get 
the data back out without further privilege (if they want the data), then 
yes, it's game over at that point.

There are many possible scenarios where an attacker would want more 
privileged access to the system, e.g. install rootkits/firmware kits, 
modify firewall settings, run network services, attack other systems, 
evade detection etc.  IOW, the current landscape of windows malware, 
data-stealing worms, botnets and so on.

Getting root access is much more valuable in the general case.

There are also the separate issues, as I mentioned subsequently, of 
increasing the attack surface, breaking the MAC model, and executing at 
full system privilege (also, without further authorization).

I think we're throwing away a lot of well-established security benefit in 
moving away from the simple model of using a root/wheel account (or sudo) 
for admin and a separate user account for everything else.


- James
-- 
James Morris
<jmorris at namei.org>




More information about the fedora-devel-list mailing list